The Seemingly Innocent Child's Toy That Germany Banned As A Concealed Surveillance Device
"Cayla knows millions of things," bragged a 2015 commercial for a doll that was hailed as "Gadget of the Year" in 2014 and initially sold well, according to The Christian Science Monitor. What the advertisement failed to mention was that some of those "millions of things" included the personal data of children that the device was collecting and selling to third parties for targeted advertising, per Education Week. Additionally, researchers could hack into the doll's Bluetooth system and secretly listen in on or even talk to children, according to the BBC.
Genesis Toys, the doll's manufacturer, described it as a "beautiful 18-inch fashion doll that offers hours of imaginative play," per the company's website. Behind the scenes, the doll used technology from a company that worked with military and intelligence agencies and had a privacy policy that allowed them to use the children's data to enhance military technology, according to Emma Day. The doll — like many other devices, including home security systems and smartwatches — was part of the Internet of Things (IoT), a massive market changing how we interact with our world.
What is the Internet of Things?
While the internet has changed how we work, play, and communicate, the Internet of Things has taken this to the next level. The futurist Kevin Ashton coined the term way back in 1999 and believed it was potentially as world-changing as the internet itself (via HistoryofInformation.com). At its most basic, the IoT is a system of interconnected devices that can collect and transfer data automatically over a wireless network, per the Scholarly Community Encyclopedia. The IoT market is expected to reach more than $413.7 billion by 2031, per GlobeNewswire.
This new world of interconnectivity, especially within the home, can pose problems for consumers, from data breaches to hackers gaining control of IoT devices to the mismanagement of collected data. For internet-connected toys, also known as smart toys, the risks are even more worrisome. In the case of My Friend Cayla, international agencies and non-governmental watchdogs sounded the alarm on the doll's potential risks.
Friendly Doll Gets a Bit Too Friendly
Los Angeles-based Genesis Toys launched the My Friend Cayla dolls in 2014, offering three different race models, two white and one Black. They had voice recognition technology and used Android or iOS mobile apps, per the manufacturer. The doll could understand and respond to questions in real-time and "tell stories, play games, share photos from her photo album, and sing too," per Genesis Toys. The doll would also promote movies from Disney, a corporation the manufacturer had a commercial relationship with, according to the Norwegian Consumer Council (Forbrukerrådet), a governmental consumer protection agency that looked into the product in 2016.
The Norwegian agency said Genesis Toys showed "a serious lack of understanding of children's rights to privacy and security" and found the toy to have lax security and illegal user terms under European Union laws. The agency also claimed the toy shared children's private data with third parties, among other problems. This was just the first of several complaints that would derail My Friend Cayla's success.
German Government Tells Parents to Destroy the Doll
Around the same time the Norwegian government came out against the doll, an international coalition of consumer action groups filed a complaint with the U.S. Federal Trade Commission against Genesis Toys and Nuance Communications, the company behind My Friend Cayla's voice recognition software. The complaint delved even deeper into the doll and the companies connected to it and alleged the toys posed "an imminent and immediate threat to the safety and security of children in the United States," per the complaint.
The next year, Germany's governmental consumer watchdog agency Bundesnetzagentur outright banned My Friend Cayla and told parents to destroy the doll if they had one at home, according to the BBC. My Friend Cayla, which the agency called a "concealed surveillance device" in a press release, fell afoul of Germany's strict privacy laws, per BBC. "Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," Jochen Homann, the head of the agency, said in the press release. "This is also to protect the most vulnerable in our society."
The Doll Was Just One of Several Smart Toy Failures
Besides My Friend Cayla, the watchdogs lambasted another of Genesis Toy's products, i-Que. i-Que was an 11-inch tall motorized robot with a similar set-up to My Friend Cayla, and it had similar issues (per Genesis Toys). In 2015, Mattel found itself in the same boat as Genesis Toys when it released its Hello Barbie. A U.S. security researcher easily hacked into the doll and gained access to its stored audio files, system and account information, and microphone, making it possible to use Hello Barbie as a surveillance device (via The Guardian).
A third electronic toy manufacturer, VTech electronics, also had security issues. In 2015, a hacker gained access to the personal information of users — including hundreds of thousands of children — of its Kid Connect app, per the Federal Trade Commission. A complaint filed by the U.S. Department of Justice on behalf of the FTC resulted in the company paying a $650,000 fine for its lax security measures and for illegal data collection practices related to children.
Are These Toys Still Available?
At the time the various watchdogs called out Genesis Toys, the company's general manager, Peter Magalhaes, told CNET that My Friend Cayla was "basically the subject of a tech prank." According to the BBC, the toy's European distributor, Vivid Toy Group, claimed that few examples of hacking into the doll were "isolated and carried out by specialists." Elsewhere, Nuance Communications executive Richard Mack said (via the BBC), "Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers."
According to Emma Day, the Federal Trade Commission finished its investigation into the allegations against Genesis Toys and Nuance Communications in 2018 and took no action, but it's a moot point — neither My Friend Cayla nor i-Que is currently available from Genesis Toys. They can still be found on eBay, but the accompanying app is no longer on either the Android or IOS app stores, rendering these smart toys no longer smart. Mattel's Hello Barbie met a similar fate. Yet the company behind the doll's conversation technology, then known as ToyTalk, rebranded as PullString and was acquired by Apple in 2019, per TechCrunch.